[strongSwan] Setting the virtual ip gateway?

Noel Kuntze noel at familie-kuntze.de
Thu Sep 18 19:27:43 CEST 2014

Hash: SHA256

Hello Cindy,

You don't need to set a virtual gateway. Well, it's actually kind of senseless, because
in IPsec, you define a list of networks that are supposed to be tunneled.
The VPN server gets the client's traffic and routes it based on the routing table it has.
Hence, what you call "virtual gateway" is _always_ the VPN server.
You cannot make the VPN clients route it anywhere else.

About the virtual IP ranges:
The "ipsec pool" [1] tool can do that. You need to use an sql database for it though.
You could use an sqlite file for that.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 17.09.2014 um 23:31 schrieb Cindy Moore:
> I have two servers on our public network, let's call them nat and vpn.
> Vpn, naturally, has the strongswan vpn set up on it, etc. (if it
> matters, ubuntu 14.04 is installed on everything).
> Let's say the public network I have is and nat is
> and vpn is
> So ordinarily, for a server that I put on the private network (let's
> say it's, and I give this server, I set its
> gateway to, and nat's /etc/network/interfaces and iptables
> are configured to treat as the gateway for the
> subnet.
> So now I give vpn a handful of addresses from the private network to
> use (say
> Therefore vpn hands out a virtual ip (say on a successful
> connection.  How does vpn also tell the new connection that its
> virtual gateway is now
> I've gone over the ipsec.conf file and I'm not seeing where I can set
> this.  Does the vpn server need to set up some kind of connection to
> itself?
> I haven't set this up:
> iptables -t nat -A POSTROUTING -s -o eth0 -m policy --dir
> out --pol ipsec -j ACCEPT
> iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
> (from https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> )
> because server nat already has these in its iptables (in slightly
> different format).
> As an aside, is it at all possible to specify a set of available
> virtual ip addresses as a range rather than in CIDR format? I've
> basically been given - which works out to
>,,,,  in
> CIDR format (facepalm)
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list